public class BLS12_381ProofOfPossession
extends java.lang.Object
BLS_SIG_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_ together with a
separate proof-of-possession message that uses the
BLS_POP_BLS12381G2_XMD:SHA-256_SSWU_RO_POP_ DST.
This suite is the only one that supports fastAggregateVerify(org.bouncycastle.math.ec.ECPoint[], byte[], org.bouncycastle.crypto.bls.BLS12_381G2Point) —
all signers signed the same message, so verification reduces to summing
the public keys and running a single pairing check. The standalone
popProve(java.math.BigInteger)/popVerify(org.bouncycastle.math.ec.ECPoint, org.bouncycastle.crypto.bls.BLS12_381G2Point) primitives let a registry verifier
confirm that a signer holds the secret key for their declared public key
before accepting their signatures into an aggregate.
The public-key bytes used in the popProve(java.math.BigInteger)/popVerify(org.bouncycastle.math.ec.ECPoint, org.bouncycastle.crypto.bls.BLS12_381G2Point)
hash input are the Zcash-format 48-byte compressed G1 encoding produced
by BLS12_381Serialization.compressG1(org.bouncycastle.math.ec.ECPoint), matching
draft-irtf-cfrg-bls-signature's point_to_pubkey.
| Modifier and Type | Field and Description |
|---|---|
static byte[] |
DST |
static byte[] |
POP_DST |
| Modifier and Type | Method and Description |
|---|---|
static boolean |
aggregateVerify(ECPoint[] pks,
byte[][] messages,
BLS12_381G2Point sigAgg)
Aggregate verification under the ProofOfPossession suite.
|
static boolean |
fastAggregateVerify(ECPoint[] pks,
byte[] message,
BLS12_381G2Point sigAgg)
Fast aggregate verification: every signer signed the same message,
so
e(G1, sig_agg) == e(sum(pk_i), H(message)) reduces to a
single pairing check on the aggregated public key. |
static BLS12_381G2Point |
popProve(java.math.BigInteger sk)
Generate a proof-of-possession for
sk. |
static boolean |
popVerify(ECPoint pk,
BLS12_381G2Point proof)
Verify a proof-of-possession against the declared public key.
|
static BLS12_381G2Point |
sign(java.math.BigInteger sk,
byte[] message) |
static boolean |
verify(ECPoint pk,
byte[] message,
BLS12_381G2Point signature) |
public static BLS12_381G2Point sign(java.math.BigInteger sk, byte[] message)
public static boolean verify(ECPoint pk, byte[] message, BLS12_381G2Point signature)
public static BLS12_381G2Point popProve(java.math.BigInteger sk)
sk. The proof is bound to
SkToPk(sk) via the POP DST and the public-key encoding so a
verifier can confirm the signer holds the matching secret key without
any context message.public static boolean popVerify(ECPoint pk, BLS12_381G2Point proof)
public static boolean aggregateVerify(ECPoint[] pks, byte[][] messages, BLS12_381G2Point sigAgg)
public static boolean fastAggregateVerify(ECPoint[] pks, byte[] message, BLS12_381G2Point sigAgg)
e(G1, sig_agg) == e(sum(pk_i), H(message)) reduces to a
single pairing check on the aggregated public key. Caller is
expected to have run popVerify(org.bouncycastle.math.ec.ECPoint, org.bouncycastle.crypto.bls.BLS12_381G2Point) on each pk_i before
trusting the aggregate.